Document the following MAC policies:

o Biba: A data integrity policy
o BSD Extended: Support for the firewall-like access controls (ugidfw(8))
o MLS: Multi-level security, a confidentiality policy

(These files originally lived in src/share/man/man9)

Approved by:	re (blanket)
Sponsored by:	DARPA, Network Associates Labs
Obtained from:	TrustedBSD Project

4 files changed, 1 insertions, 465 deletions

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index 8451c74..7abdb28 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -48,7 +48,7 @@ MAN=	BUF_LOCK.9 BUF_LOCKFREE.9 BUF_LOCKINIT.9 BUF_REFCNT.9 \
 	jumbo.9 \
 	kernacc.9 kobj.9 kthread.9 ktr.9 \
 	lock.9 \
-	mac.9 mac_biba.9 mac_bsdextended.9 mac_mls.9 \
+	mac.9 \
 	make_dev.9 malloc.9 mbchain.9 mbuf.9 mdchain.9 \
 	mi_switch.9 microseq.9 microtime.9 microuptime.9 \
 	module.9 mtx_pool.9 mutex.9 \
diff --git a/share/man/man9/mac_biba.9 b/share/man/man9/mac_biba.9
deleted file mode 100644
index b301bdf..0000000
--- a/share/man/man9/mac_biba.9
+++ /dev/null
@@ -1,182 +0,0 @@
-.\" Copyright (c) 2002 Networks Associates Technology, Inc.
-.\" All rights reserved.
-.\" 
-.\" This software was developed for the FreeBSD Project by Chris
-.\" Costello at Safeport Network Services and NAI Labs, the Security
-.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR
-.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS
-.\" research program.
-.\" 
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\" 
-.\" $FreeBSD$
-.Dd NOVEMBER 18, 2002
-.Os
-.Dt MAC_BIBA 9
-.Sh NAME
-.Nm mac_biba
-.Nd Biba data integrity policy
-.Sh SYNOPSIS
-.Cd "options MAC"
-.Li "kldload mac_biba"
-.Sh DESCRIPTION
-The
-.Nm
-policy module implements the Biba integrity model,
-which protects the integrity of system objects and subjects by means of
-a strict information flow policy.
-In Biba, all system subjects and objects are assigned integrity labels, made
-up of hierarchal grades, and non-hierarchal components.
-Together, these label elements permit all labels to be placed in a partial
-order, with information flow protections based on a dominance operator
-describing the order.
-The hierarchal grade field is expressed as a value between 0 and 65535,
-with higher values reflecting higher integrity.
-The non-hierarchal compartment field is expressed as a set of up to 256
-components, numbered from 0 to 255.
-A complete label consists of both hierarchal and non-hierarchal elements.
-.Pp
-Three special label values exist:
-.Bl -column -offset indent ".Sy Label" ".Sy Comparison"
-.It Sy Label Ta Ta Sy Comparison
-.It Li biba/low Ta Ta Ta lower than all other labels
-.It Li biba/equal Ta equal to all other labels
-.It Li biba/high Ta higher than all other labels
-.El
-.Pp
-The
-.Dq biba/high
-label is assigned to system objects which affect the ingrity of the system
-as a whole.
-.Dq biba/equal
-may be used to indicate that a particular subject or object is exempt from
-the Biba protections.
-These special label values are not specified as containing any compartments,
-although in a label comparison,
-.Dq biba/high
-appears to contain all compartments,
-.Dq biba/equal
-the same compartments as the other label to which it is being compared,
-and
-.Dq biba/low
-none.
-.Pp
-Almost all system objects are tagged with a single, active label element,
-reflecting the integrity of the object, or integrity of the data contained
-in the object.
-In general, objects labels are represented in the following form:
-.Pp
-.Dl biba/grade:compartments
-.Pp
-For example:
-.Pp
-.Bd -literal -offset indent
-biba/10:2,3,6
-biba/low
-.Ed
-.Pp
-Subject labels consist of three label elements: a single (active) label,
-as well as a range of available labels.
-This range is represented using two ordered Biba label elements, and when set
-on a process, permits the process to change its active label to any label of
-greater or equal integrity to the low end of the range, and lesser or equal
-integrity to the high end of the range.
-In general, subject labels are represented in the following form:
-.Pp
-.Dl biba/singlegrade:singlecompartments(lograde:locompartments-
-.Dl higrade:hicompartments)
-.Pp
-For example:
-.Bd -literal -offset indent
-biba/10:2,3,6(5-20:2,3,4,5,6)
-biba/high(low-high)
-.Ed
-.Pp
-Valid ranged labels must meet the following requirement regarding their
-elements:
-.Pp
-.Dl rangehigh >= single >= rangelow
-.Pp
-One class of objects with ranges currently exists, the network interface.
-In the case of the network interface, the single label element references the
-default label for packets received over the interface, and the range
-represents the range of acceptable labels of packets to be transmitted over
-the interface.
-.Pp
-In general, Biba access control takes the following model:
-.Bl -bullet
-.It
-A subject at the same integrity level as an object may both read from
-and write to the object as though Biba protections were not in place.
-.It
-A subject at a higher integrity level than an object may write to the object,
-but not read the object.
-.It
-A subject at a lower integrity level than an object may read the object,
-but not write to the object.
-.It
-If the subject and object labels may not be compared in the partial order,
-all access is restricted.
-.El
-.Pp
-These rules prevent subjects of lower integrity from influencing the
-behavior of higher integrity subjects by preventing the flow of information,
-and hence control, from allowing low integrity subjects to modify either
-a high integrity object or high integrity subjects acting on those objects.
-Biba integrity policies may be appropriate in a number of environments,
-both from the perspective of preventing corruption of the operating system,
-and corruption of user data if marked as higher integrity than the attacker.
-In traditional trusted operating systems, the Biba integrity model is used
-to protect the Trusted Code Base (TCB).
-.Pp
-The Biba integrity model is similar to
-.Xr LOMAC 9 ,
-with the exception that LOMAC permits access by a higher integrity subject
-to a lower integrity object, but downgrades the integrity level of the subject
-to prevent integrity rules from being violated.
-Biba is a fixed label policy in that all subject and object label changes are
-explicit, whereas LOMAC is a floating label policy.
-.Pp
-The Biba integrity model is also similar to
-.Xr mac_mls 9 ,
-with the exception that the dominance operator and access rules are reversed,
-preventing the downward flow of information rather than the upward flow of
-information.
-Multi-Level Security (MLS) protects the confentiality, rather than the
-integrity, of subjects and objects.
-.Sh SEE ALSO
-.Xr LOMAC 9 ,
-.Xr mac 9 ,
-.Xr mac_mls 9
-.Sh HISTORY
-The
-.Nm
-policy module first appeared in
-.Fx 5.0
-and was developed by the TrustedBSD Project.
-.Sh AUTHORS
-This software was contributed to the
-.Fx
-Project by Network Associates Labs,
-the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
-as part of the DARPA CHATS research program.
diff --git a/share/man/man9/mac_bsdextended.9 b/share/man/man9/mac_bsdextended.9
deleted file mode 100644
index ec76d97..0000000
--- a/share/man/man9/mac_bsdextended.9
+++ /dev/null
@@ -1,80 +0,0 @@
-.\" Copyright (c) 2002 Networks Associates Technology, Inc.
-.\" All rights reserved.
-.\" 
-.\" This software was developed for the FreeBSD Project by Chris
-.\" Costello at Safeport Network Services and NAI Labs, the Security
-.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR
-.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS
-.\" research program.
-.\" 
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 3. The names of the authors may not be used to endorse or promote
-.\"    products derived from this software without specific prior written
-.\"    permission.
-.\" 
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\" 
-.\" $FreeBSD$
-.Dd OCTOBER 16, 2002
-.Os
-.Dt MAC_BSDEXTENDED 9
-.Sh NAME
-.Nm mac_bsdextended
-.Nd subject-object interaction rules policy
-.Sh SYNOPSIS
-.\" .Cd options MAC_BSDEXTENDED
-.Li kldload mac_bsdextended
-.Sh DESCRIPTION
-The
-.Nm
-interface provides an interface for the system administrator
-to impose mandatory rules regarding users and some system objects.
-Rules are uploaded to the module
-(typically using
-.Xr libugidfw 3 )
-where they are stored internally
-and used to determine whether to allow or deny specific accesses
-(see
-.Xr ugidfw 8 ) .
-.Sh IMPLEMENTATION NOTES
-While the traditional
-.Xr mac 9
-entry points are implemented,
-policy labels are not used;
-instead, access control decisions are made by iterating through the internal
-list of rules until a rule
-which denies the particular access
-is found,
-or the end of the list is reached.
-.Sh SEE ALSO
-.Xr libugidfw 3 ,
-.Xr ugidfw 8 ,
-.Xr mac 9
-.Sh HISTORY
-The
-.Nm
-interface was first introduced in
-.Fx 5.0 .
-.Sh AUTHORS
-This software was contributed to the
-.Fx
-Project by NAI Labs, the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
-as part of the DARPA CHATS research program.
diff --git a/share/man/man9/mac_mls.9 b/share/man/man9/mac_mls.9
deleted file mode 100644
index 15ffba8..0000000
--- a/share/man/man9/mac_mls.9
+++ /dev/null
@@ -1,202 +0,0 @@
-.\" Copyright (c) 2002 Networks Associates Technology, Inc.
-.\" All rights reserved.
-.\" 
-.\" This software was developed for the FreeBSD Project by Chris
-.\" Costello at Safeport Network Services and Network Associates Labs,
-.\" the Security Research Division of Network Associates, Inc. under
-.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
-.\" DARPA CHATS research program.
-.\" 
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\" 
-.\" $FreeBSD$
-.Dd DECEMBER 1, 2002
-.Os
-.Dt MAC_MLS 9
-.Sh NAME
-.Nm mac_mls
-.Nd Multi-Level Security confidentiality policy
-.Sh SYNOPSIS
-To compile MLS into your kernel, place the following lines in your kernel
-configuration file:
-.Cd "options MAC"
-.Cd "options MAC_MLS"
-.Pp
-Alternately, to load the MLS module at boot time, place the following line
-in your kernel configuration file:
-.Cd "options MAC"
-.Pp
-and in
-.Xr loader.conf 5 :
-.Cd mac_mls_load= Ns \&"YES"
-.Sh DESCRIPTION
-The
-.Nm
-policy module implements the Multi-Level Security, or MLS model,
-which controls accesses between subjects and objects based on their
-confidentiality by means of a strict information flow policy.
-Each subject and object in the system has an MLS label associated with it;
-each subject's MLS label contains information on its clearance level,
-and each object's MLS label contains information on its classification.
-.Pp
-In MLS, all system subjects and objects are assigned confidentiality labels,
-made up of a sensitivity level and zero or more compartments.
-Together, these label elements permit all labels to be placed in a partial
-order, with confidentiality protections based on a dominance operator
-describing the order.
-The sensitivity level is expressed as a value between 0 and
-65535, with higher values reflecting higher sensitivity levels.
-The compartment field is expressed as a set of up to 256 components,
-numbered from 0 to 255.
-A complete label consists of both sensitivity and compartment
-elements.
-.Pp
-With normal labels, dominance is defined as a label having a higher
-or equal active sensitivity level, and having at least
-all of the same compartments as the label to which it is being compared.
-With respect to label comparisons,
-.Dq lower
-is defined as being dominated by the label to which it is being compared,
-and
-.Dq higher
-is defined as dominating the label to which it is being compared,
-and
-.Dq equal
-is defined as both labels being able to satisfy the dominance requirements
-over one another.
-.Pp
-Three special label values exist:
-.Bl -column -offset indent ".Sy Label" ".Sy Comparison"
-.It Sy Label Ta Ta Sy Comparison
-.It Li mls/low Ta Ta dominated by all other labels
-.It Li mls/equal Ta equal to all other labels
-.It Li mls/high Ta Ta dominates all other labels
-.El
-.Pp
-The MLS model enforces the following basic restrictions:
-.Bl -bullet
-.It
-Subjects may not observe the processes of another subject if its
-clearance level is lower than the clearance level of the object it is
-attempting to observe.
-.It
-Subjects may not read, write, or otherwise observe objects without proper
-clearance (i.e. subjects may not observe objects whose classification label
-dominates its own clearance label)
-.It
-Subjects may not write to objects with a lower classification level than
-its own clearance level.
-.It
-A subject may read and write to an object if its clearance level is equal
-to the object's classification level as though MLS protections were not in
-place.
-.El
-.Pp
-These rules prevent subjects of lower clearance from gaining access
-information classified beyond its clearance level in order to protect the
-confidentiality of classified information, subjects of higher clearance
-from writing to objects of lower classification in order to prevent the
-accidental or malicious leaking of information, and subjects of lower
-clearance from observing subjects of higher clearance altogether.
-In traditional trusted operating systems, the MLS confidentiality model is
-used in concert with the Biba integrity model
-.Xr ( mac_biba 9 )
-in order to protect the Trusted Code Base (TCB).
-.Ss Label Format
-Almost all system objects are tagged with a single, active label element,
-reflecting the classification of the object, or classification of the data
-contained in the object.
-In general, object labels are represented in the following form:
-.Pp
-.Dl mls/grade:compartments
-.Pp
-For example:
-.Pp
-.Bd -literal -offset indent
-mls/10:2,3,6
-mls/low
-.Ed
-.Pp
-Subject labels consist of three label elements: a single (active) label,
-as well as a range of available labels.
-This range is represented using two ordered MLS label elements, and when set
-on a process, permits the process to change its active label to any label of
-greater or equal integrity to the low end of the range, and lesser or equal
-integrity to the high end of the range.
-In general, subject labels are represented in the following form:
-.Pp
-.Dl mls/singlegrade:singlecompartments(lograde:locompartments-
-.Dl higrade:hicompartments)
-.Pp
-For example:
-.Bd -literal -offset indent
-mls/10:2,3,6(5-20:2,3,4,5,6)
-mls/high(low-high)
-.Ed
-.Pp
-Valid ranged labels must meet the following requirement regarding their
-elements:
-.Pp
-.Dl rangehigh >= single >= rangelow
-.Pp
-One class of objects with ranges currently exists, the network interface.
-In the case of the network interface, the single label element references
-the default label for packets received over the interface, and the range
-represents the range of acceptable labels of packets to be transmitted over
-the interface.
-.Sh IMPLEMENTATION NOTES
-Currently, the
-.Nm
-policy relies on superuser status
-.Xr ( suser_cred 9 )
-in order to change network interface MLS labels.
-This will eventually go away, but it is currently a liability and may
-allow the superuser to bypass MLS protections.
-.Sh SEE ALSO
-.Xr maclabel 7 ,
-.Xr mac 9 ,
-.Xr mac_biba 9
-.Sh HISTORY
-The
-.Nm
-policy module first appeared in
-.Fx 5.0
-and was developed by the TrustedBSD Project.
-.Sh AUTHORS
-This software was contributed to the
-.Fx
-Project by Network Associates Labs,
-the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
-as part of the DARPA CHATS research program.
-.Sh BUGS
-See
-.Xr mac 9
-concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
-.Fx .
-.Pp
-While the MAC Framework design is intended to support the containment of  
-the root user, not all attack channels are currently protected by entry
-point checks.
-As such, MAC Framework policies should not be relied on, in isolation,
-to protect against a malicious privileged user.